security context to the new cell tower. However, the LTE security design requires two additional security features: backward security and forward security. Backward secur-
ity is a feature where if the security keys leak after a hand-over, for instance through a
compromised cell tower, all the information encrypted before that hand-over remains confidential. This feature is easily obtained by transmitting a hash of the security keys to the next cell tower, so a compromised key will only leak a hash of previous keys. Forward security is the feature where if the security keys leak before a hand-over, all the information encrypted after that hand-over is again confidentially protected. This requires a fresh key generated after a inner-cell tower hand-over, by the MME and handset. This forward security feature undermines the benefit of not involving the MME during hand-overs. Therefore 3GPP definesn-hop forward security, where any cell tower with knowledge of the current keys is unable to predict the keys used afternhandovers. These terms of forward and backward security are defined by 3GPP and are somewhat confusingly named with respect to Perfect Forward Secrecy (PFS). PFS has more in common with backward security, but is not the same. In fact, the LTE hand over security is not PFS, even though it is forward and backward secure [183].
The new key diversification in LTE adds extra security properties, but does not offer additional protection against the weaknesses common between GSM an UMTS described above.
3.6
Conclusions
Passively eavesdropping on GSM remains pretty hard to do using publicly available hard and software. Theoretically, there are no real constraints in breaking conver- sation confidentiality in GSM using the A5/1 cipher. However, there are still several practical issues making a working implementation of a GSM sniffer using freely avail- able hardware hard to do.
First of all, some essential software has not been released. Although an explan- ation on how to perform these steps is available, it is still some work to do this. Moreover, when all the required software is available, then the attack is still far away from a catch-all attack, able to eavesdrop on any GSM conversation. This is again due to several practical limitations, such as reception quality and limited coverage of the pre-computations tables.
The release of the rainbow tables and the Kraken tool has made the breaking of the A5/1 encryption much easier. However, this approach does have a few downsides: besides the hard disk size this method also requires perfect samples – putting ad- ditional strain on the capturing process – and, as is normal with such tables, they will never give a 100% chance of finding the key. Still, the current coverage is work- able given enough samples. It also turns out that it is currently hard to obtain the pre-computation tables online, as only very few people seem to share them.
The presented active attacks all have the same problems on the reception level, but bypass most of the decrypting issues. Their biggest downside is that they are no- ticeable attacks, as the attacker has to transmit signals, although victims have to be very observant to notice. These issues with active attacks are only present when try- ing to create these attacks with easily available software and hardware. A well-funded attacker can simply buy practical solutions.
Of the countermeasures that are often referred to by the GSM industry when downplaying the news stories, the most effective one is essentially to by-pass GSM all together and solely use the newer 3GPP protocols UMTS and LTE. However, this could lead to degraded service, as the coverage is not always as good as with GSM and pro- viders are keen to keep voice calls on GSM, keeping their UMTS and LTE frequencies free for high definition video downloads, or other internet traffic. The adoption of voice over UMTS has increased in recent years, often as an additional service called “HD Voice,” but voice over LTE is very rare.
UMTS, the successor of GSM introduced, all the added security needed to mitig- ate GSM’s biggest weaknesses: weak encryption and lack of mutual authentication. Regrettably, some minor weaknesses are still present, even in UMTS’s successor LTE. Most of the security of the mobile phone network is dependant on the provider settings, such as which encryption algorithms are supported, and the aforementioned voice over UMTS. These settings differ per location area, per provider. As such, it is hard to make a general assessment of the confidentiality on the wireless interface.
Finally, when the goal of the attacker is to only capture SMS messages, or imper- sonate the victim, he could perform a much simpler attack: SIM card fraud. In this at- tack the attacker simply requests a new SIM card at the provider of the victim for the victims mobile phone number. If the provider does not sufficiently verify the victim’s identity, then this is a simple, but short-lived, impersonation attack, as the victim will quickly notice a complete lack of service.
Chapter4
Time Memory Trade-Off attacks
The previous chapter discussed confidentiality attacks on the wireless links of mo- bile telephony networks, by focusing on the protocols and actually capturing signals. Naturally, the protection for confidentiality is offered by encryption, therefore this chapter will focus on the cryptography used on the wireless link. In a passive eaves- dropping attack (and also in some active attacks), an attacker will need to break the encryption in order to obtain his goals. Therefore, we need to know how hard it is to break the actual encryption. So, we focus on the, at that time, most widely used cipher in GSM, A5/1. This chapter looks at the Time-Memory Trade-Off (TMTO) attacks pos- sible against stream ciphers and the specific TMTO attack successfully used against GSM’s main cipher. We specifically focus on the time and memory costs of each dif- ferent attack, with a, for that time, new analysis.
This chapter is based on the paper A comparison of time-memory trade-off attacks
on stream ciphers, presented at the 6th International Conference on the Theory and
Application of Cryptographic Techniques in Africa, AfricaCrypt 2013 [176]. This pub- lication referred to the Fuzzy Rainbow Table attack as the “Kraken” attack, because at the time we were not aware of the earlier work [11] proposing this type of attack. This chapter also contains more information on new publications since our original pub- lication and looks deeper into the practical comparison of TMTO attacks. Finally, this chapter includes our attempts at improving the Fuzzy Rainbow Table attack, which did not fit within the page limit of the original publication.
4.1
Introduction
There are many scenarios in which an attacker wants to reverse a cryptographic func- tion, such as a hash function or a cipher. An attacker trying to break a cryptographic function can always try to either brute force the function, or precompute all possible values beforehand and store them in a large table, so every subsequent attack is a simple look-up. Most cryptographic functions are protected from these attacks by having a large enough key size or state size, which makes the time complexity or the storage requirements of such attacks too large in practice.
In 1980 Hellman caused a breakthrough by suggesting a Time-Memory Trade-Off attack which is probabilistic and falls somewhere in between a brute force attack and a precomputation attack. Hellman showed that using his attack he could reverse an
n-bit key cipher, in22n/3 time complexity, by precomputing2n values and storing
22n/3of them [95]. The total amount of work done in this attack is more than in a single brute-force attack, but with each subsequent attack the Time-Memory Trade-Off at- tack is much cheaper. This made ciphers using keys that until then were thought large enough to prevent a brute-force attack suddenly susceptible to this new Time- Memory Trade-Off attack.
Later research into TMTO attacks led to many improvements on Hellman’s attack. First came the Distinguished Points method, which reduced the number of disk seeks and is referenced to Rivest [38]. Later Oechslin [136] devised a competing method with a slight speed-up, called Rainbow Table. The Rainbow Table attack seems to be bet- ter known, presumably due to its colourful name. Biryukov and Shamir [16] combined Hellman’s attack with a specific data-tradeoff attack against stream ciphers [8, 86] res- ulting in a more efficient TMTO attack for stream ciphers. An attacker can make gen- eric TMTO tables for a stream cipher which can be matched against any large enough sample of keystream, increasing the success chance with every sample. This new understanding directly led to new proposed attacks against one of the most widely deployed stream ciphers in the world: GSM’s A5/1 cipher [17, 10].
In 2010 researchers demonstrated a TMTO attack to break the A5/1 cipher of GSM [134]. This attack used a TMTO method which combines two important, but very different TMTO improvements; namely Distinguished Points and Rainbow Tables [130]. This attack was previously suggested by Barkan et al. in 2006 [11], who called it a Fuzzy
Rainbow Table attack, but which saw very little research attention since its inception.
The tool created for breaking the A5/1 cipher was called Kraken.
It seems rather strange for these researchers to have chosen an, at that time, unre- searched approach for their attack, so the question arises whether this Fuzzy Rainbow Table attack improves on the already existing attacks. This chapter aims to invest- igate how much, if any, of an improvement Fuzzy Rainbow Table attack brings to the area of TMTO attacks.
Section 4.2 introduces the general idea of TMTO attacks. Section 4.3 introduces and analyses the four TMTO attacks: Hellman’s original attack [95] with Biryukov and Shamir’s improvement for stream ciphers [16], Rivest’s Distinguished Points ap- proach [38], Oechslin’s Rainbow Tables [136], and the first theoretical analysis of the Fuzzy Rainbow Table attack (Section 4.3.4). Most of these attacks have previously been analysed by deriving trade-off curves, which we feel hide too much of the actual costs of these attacks. This is why we performed a new analysis which we expect